mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
f8ccc77076
* Update policy for systemd-v256
c20cf2214 systemd: allow systemd-hostnamed to read vsock device
4f3437040 systemd: fix policy for systemd-ssh-generator
d852b7540 devices: add label vsock_device_t for /dev/vsock
a4a7b830f systemd: add policy for systemd-nsresourced
47081be47 systemd: allow system --user to create netlink_route_socket
78cacc708 systemd: allow systemd-networkd to manage sock files under
/run/systemd/netif
29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for
/var/lib/systemd/network
22fd3ddad Allow interactive user terminal output for the NetLabel
management tool.
c1284c601 bluetooth: Move line.
50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets
by dbus and bluetooth contexts when Gatt notifications are
turned on by remote.
2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports
9ab94df30 container: allow reading generic certs
7530dfa3c testing: add container_kvm_t to net admin exempt list
47eced9be Makefile: drop duplicate quotes
b0b0d52dd various: rules required for DV manipulation in kubevirt
21e4a44c0 container: add container_kvm_t and supporting kubevirt rules
a9bd177bb iptables: allow reading container engine tmp files
af0b40824 container: allow spc various rules for kubevirt
d585f08c2 container, kubernetes: add supporting rules for kubevirt and
multus
9f37f86b2 dbus: dontaudit session bus domains the netadmin capability
d9ca32f5a container: allow super privileged containers to manage BPF
dirs
1900fbe68 kubernetes: allow kubelet to create unlabeled dirs
b9c8ba607 haproxy: allow interactive usage
846804c58 podman: allow managing init runtime units
8787b3d8d iptables: allow reading usr files
* Drop obsolete patches:
0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
|
||
|---|---|---|
| classes | ||
| conf | ||
| dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils | ||
| recipes-connectivity | ||
| recipes-core | ||
| recipes-devtools/rpm | ||
| recipes-extended | ||
| recipes-graphics | ||
| recipes-kernel | ||
| recipes-security | ||
| recipes-support | ||
| .gitignore | ||
| MAINTAINERS | ||
| README | ||
| SELinux-FAQ | ||
meta-selinux ============ This layer's purpose is enabling SE Linux support. The majority of this layers work is accomplished in bbappend files, used to enable SE Linux support in existing recipes. A new recipes-security was added. The purpose of this category is to add software specific to system security. Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Dependencies ------------ This layer depends on the openembedded-core metadata and the meta-python and meta-oe layers from the meta-openembedded repository. Maintenance ----------- Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Building the meta-selinux layer ------------------------------- In order to add selinux support to the poky build this layer should be added to your projects bblayers.conf file. By default the selinux components are disabled. This conforms to the Yocto Project compatible guideline that indicate that simply including a layer should not change the system behavior. In order to use the components in this layer you must add the 'selinux' to the DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and pam are also present. e.g. DISTRO_FEATURES:append = " acl xattr pam selinux" You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need to be tailored for your environment. * Enable the refpolicy-mls: e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls" Using different init manager ---------------------------- By default selinux enabled images coming up with "sysvinit" as init manager, we can use "systemd" as an init manager using below changes to local.conf * enable systemd as init manager changes to local.conf INIT_MANAGER = "systemd" Enable labeling on first boot ---------------------------- By default, the system will label selinux contexts during build. To enable labeling on first boot. Set FIRST_BOOT_RELABEL to 1 in local.conf: FIRST_BOOT_RELABEL = "1" Starting up the system ---------------------- Most likely the reference policy selected will not just work "out of the box". As always, if you update the reference policy to better work with OpenEmbedded or Poky configurations, please submit the changes back to the project. When using 'core-image-selinux', the system will boot and automatically setup the policy by running the "fixfiles -f -F relabel" for you. This is implemented via the 'selinux-autorelabel' recipe. The 'core-image-selinux-minimal' does not automatically relabel the system. So you must boot using the parameters "selinux=1 enforcing=0", and then manually perform the setup. Running 'fixfiles -f -F relabel' is available in this configuration. After logging in you can verify selinux is present using: $ sestatus Output should include: SELinux status: enabled ... Current mode: enforcing ... The above indicates that selinux is currently running, and if you are running in an enforcing mode or not. License ------- All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated. This README document is Copyright (C) 2012 Wind River Systems, Inc.